Posts tagged “InfoWar”

A new report from www.trusted.pt documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including:

Embassy of Portugal, Germany

Embassy of Portugal, France

Embassy of Portugal, Finland

CEGER, Management Center for the Electronic Government Network, Portugal

The trusted.pt investigated further and found two control servers and access the attacker’s admin interface:

In September 2009 it had full access to the two administration interfaces of “GhostNet, one on each controller. The administration interface is an application in php, rather crude but effective, at home we can see all computers that have taken place in these drivers, in this case were 730, from 67 countries The interface allows complete control over the infected machine. Through something like “modules” can be added to the infected machines new features such as keyloggers, trojans remote control in real time ( “GhostRAT”), execute remote commands, send and receive files, and view the files sent automatically by computers infected.

This is exactly what we found. However, trusted.pt was able to view the documents pilfered from the infected machines and provided this summary:

It was investigated and found to exist in “GhostNet” of 1.1 gigabytes of information from computers with IP addresses associated with the Ministry of Foreign Affairs – An. Pst Ambassador of Portugal in India – JPEG procedures for employees, including passage of visas was searched and found the existence of the “GhostNet” of 7.9 gigabytes of information from computers with IP addresses associated with the Ministry of Justice:

– Multiple files. pst ITIJ employees with diverse and sensitive.
– Documents describing the procedures, configurations, and topologies of the main services of the ministry of justice, including passwords (modules keylogger) for remote access to servers.
– Documents relating to the electoral process, action plans and contingency plans, descriptions of settings and network topology election, including any data source from the civilian governments, passwords, configuration of routers, switches and other equipment.
– Various. Pst files and passwords for employees of the Directorate General of Registration and Notary, which allow a total view of how the services work, including conservatories of civil status and property. Passwords for access to the applications used.
– In the Judiciary Police, including working procedures – Several technical information for the computer systems of courts and their applications (SITAF, habilus).
– Several files of cases that we think have been removed from computers officials or judges – Documents relating to the prosecutor.
– Computer Applications as Habilus.

In fact and in view of the files found concrete strip to the frightening conclusion that the spying by “GhostNet in Portugal was able to reach key bodies of the Portuguese as the courts, and there (and there?) A serious infection in various organisms containing valuable and sensitive information that should in theory is well protected. An attempt was made during the time it gained access to the two drivers “GhostNet” beyond the operating system hosting the interface, but you do not find any fault in it that we can make the most important information about the reasons and people behind this network of highly dangerous espionage, and our access was lost about 72 hours after first contact.

For me, it illustrates that we need to share information about these attacks rather than keep it all to ourselves. If incidents are treated as isolated cases the bigger picture and broader implications can’t be well understood. It is important to recognize that the same attackers are targeting a wide variety of organizations — not just yours :). The flip side is that the attackers become aware of what we know about them, and it may blow surveillance. But at this point I think it is more important to understand the broader pattern and significance of the attacks. Moreover, it is important to understand the motivations behind the attacks and at this point the best way of doing that is looking at the targets of the attackers and fitting them into a broader contextual analysis.

Anyway, I just want to say thanks to Van Horenbeeck, F-Secure (Mikko), and ThreatExpert.

When it comes to internet-based attacks, such as the recent DDoS attacks against in South Korea and the U.S., questions arise regarding the identity and motivations of those responsible for the attacks. Because attribution is difficult, if not close to impossible, in these types of cases speculation based on correlated events tends to overshadow a cautious, evidence-based approach.

This case had all the right ingredients: attacks on South Korean and U.S. governmental sites timed on July 4th with Independence Day and the availability of a convenient adversary, North Korea, which had just test fired short range missiles a day earlier.

It didn’t take long for North Korea to emerge as the suspect, in part, thanks to the South Korea’s National Intelligence Service which told the NYT that the attack “was not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level.” Rumours of North Korean involvement circled in the South Korean media. The WP reported on previous reports of a North Korean cyberwarfare unit. Thousands of headlines such as “North ‘ordered crippling cyber-attacks‘” and “North Korea launched cyber attacks, says south” later we were caught up in a cyberwar frenzy.

Taking the “hype-ster” prize was Nicholas Eberstadt, a senior fellow at the American Enterprise Institute:

“The cyber attacks are part of an asymmetric warfare strategy,” says Nicholas Eberstadt, senior fellow at the American Enterprise Institute in Washington. “Part of an effective confrontation with the US war machine would be the ability to disable US information [systems].”

Mr. Eberstadt sees the cyber attacks as an integral component of North Korean testing of atomic devices on May 25 and in October 2006, as well as a recent flurry of tests of missiles that may one day be able to carry nuclear warheads.

“They may look like malicious cyber pranks,” he says, “but the greater purpose is clear. When one looks at the nuclear chessboard, their security is integrally tied to this type of warfare.” In order to launch a nuclear-tipped missile, he says, the North Koreans need a cyber warfare component in their arsenal.

However, I think that at least some of the hype was curtailed thanks to an early an strong sense of caution put forward by some experts. These people saw through the hype and focused on the facts:

“I would call this a garden-variety attack,” said Jose Nazario, manager of security research at Arbor Networks, a network security firm that is based in Chelmsford, Mass… “The code is really pretty elementary in many respects,” he added. “I’m doubting that the author is a computer science graduate student.”

First we have seen no evidence to point a finger at North Korea. How could we tell anyway without an extensive investigation and access to all kinds of logs and other data? Unless someone has a lot of extra information, this has to be pure wild speculation as well. Cyberwar? NO way! The term Cyberwar gets thrown around all the time. It’s hard to define and everyone has differing views. However, I would venture to say this is far from what most people would call a Cyberwar. It is a bit closer to Cyber Terrorism but definitely not Cyberwar.

While a lot of the analysis is still ongoing – and likely to continue long after the public looses interest – I’ve come to the conclusion that this DDoS attack has very little to do with North Korea and only consipiritory theorists could conclude that this is a state-sponsored kick off to cyber-war.

Sure enough, the blame game changed and the UK was fingered as the “source” of the attacks.

Why? Because a Vietnamese security company “gained control ” of 2 of the command and control servers and found that the “master” control server had an IP address in a range assigned to the UK. The headlines changed: “British hackers claimed to be behind US and Korean attacks“. Really? Because the IP address of the control server correlated with a range assigned to the UK?

Locating sources of attacks, both the bots and the C&C’s, based on geographic location of the IP address and fusing it with biased correlations to determine the indentity of the attackers is not a very useful way for understanding internet-based attacks. According to Bkis (the guys who “acquired” two of the C&C’s) there were 166,908 zombies spread across 74 countries with South Korea, the USA, and China being the top three. What about the C&C’s? The dropper connects to three IP’s one in Germany, Austria and the USA. The malware also connected to IP’s in Turkey, USA, Pakistan, Mexico, Guatemala, Taiwan, Thailand and newrozfm.com which is hosted in Turkey.

Luckily, none actually were in North Korea.

Geographic correlations are not irrelevant, but one must be cautious about jumping to conclusions. The same can be said for socio-polical events that happen to coincide with internet-based attacks. Finally, the “blame your enemy” reaction needs to be treated with an appropriate level of skepticism.

The Internet-based attacks surrounding the Russia-Georgia conflict in August 2008 have resurfaced thanks to a report by the U.S. Cyber Consequences Unit (US-CCU). Because the report is top secret, all that is publicly available is a summary.

There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent from these reports are attempts to provide and explore alternative explanations. Since attribution in these type of attacks is difficult (to put it mildly) analysis is often infused with a predisposition toward a certain conclusion and all evidence is interpreted in only one direction. (Morozov’s “10 easy steps to writing the scariest cyberwarfare article ever” is applicable to most of them.)

Since there is basically no “smoking gun” in cyberspace the credibility of one’s claims depends on how well one explores alternative explanations.

One of the Ru-Ge issues I have been thinking about concerns timing. In the US-CCU report summary the issue of timing is raised. The US-CCU concludes:

The organizers of the cyber attacks had advance notice of Russian military intentions, and they were tipped off about the timing of the Russian military operations while these operations were being carried out.

Why? Because they “had” to be.

Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyber attackers.

Maybe, but are there other possible explanations?

First, the timing of the war itself is unclear. The NY Times reports that Georgia believes that the Russians had crossed the Roki Tunnel by 3.41 a.m on August 7, 2008. The Russians say it was not until 2:30 p.m. on August 8, 2008 after Georgia had begun shelling Tskhinvali at 11:30 pm August 7, 2008. The NYT reports that “Western intelligence” indicates that the Russians “may have moved to secure the entire tunnel either on the night of Aug. 7 or early in the morning of Aug. 8.”

Second, the timing if the internet-based attacks is unclear. The CCD COE report cites a STRATFOR report which claims:

“Russia’s offensive against Georgia began not with tanks or fighter jets, but in cyberspace. STRATFOR knows firsthand that Georgian government and media Web sites began to crash the night of Aug. 7 — well before Russian troops emerged on the south side of the Roki Tunnel in the breakaway republic of South Ossetia the following morning.”

Shadowserver, a trustworthy and awesome group, documented DDOS attacks begining on August 8, 2008. The attacks were from known C&C’s some of which have been around for more than a year and have attacked unrelated sites. In fact, the same C&C’s attacked www.president.gov.ge on July 20, 2008.

Dancho Danchev wrote an informative post in which he stated that following the July attack there had been discussions on DDOS and defacements and the use should it be needed:

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday

US-CCU says that because the attacks materialised so quickly in connection with the Russian kinetic attacks the internet-based attacks must have been prepared in advanced and that “the signal to go ahead also had to have been sent before the news media and general public were aware of what was happening militarily.” Well, we already know that there was a DDOS in July by the same C&C’s that attacked in August. Also, there had been “active discussions across the Russian web” after the July attacks on DDOS and defacement of Georgian and related targets. And from limited logs that I’ve seen there were a variety of attacks, including SQL injection, occuring over this period.

Moreover, some of the web sites that were defaced had been previously defaced. mfa.gov.ge was defaced 2008/04/17 (and three times in 2000, suggesting it has a history of insecurity) and parliament.ge was defaced on 2008/03/14. (Zone-H’s gov.ge defacement archive).

News media had been consistently reporting on the ongoing conflict in the region. For example, CNN reported on August 7, 2008 that Georgia had accused Russia of bombing Georgian territory. And the Russian incursion into Georgian was widely reported on August 8, 2008.

It is unclear if the attacks began before the Russian kinetic attack, or afterward. Part of the reason is that when the Russian kinetic attack began is unclear. This makes the correlation of the internet and kinetic attacks unwieldy.

The botnets were in place (busily attacking unrelated targets), had been used previously against www.president.gov.ge, and could be issued commands at any time. The web sites that were defaced had been previously defaced and mfa.gov.ge had a long history of insecurity. The global news coverage of the crises indicated that the crises was escalating and that a Russian bombing campaign may have started on August 7th.

In my view there is an alternative explanation that deserves to be explored: potential attackers who had been discussing potential attacks since July 20, 2008 and following the events could have been ready to respond as the crises predictably escalated without advance knowledge of the Russian attack or any explicit coordination with the Russian military.

CIPAV – docs 1, 2, 3 — Because suspects are increasingly using tools to mask their IP address the FBI now uses a “computer and internet protocol address verifier” to identify a suspect’s IP (as well as additional info) . It appears to work be levergaing various “drive-by” exploits. On a worrying note, the first few lines of the document obtained by Wired via FOIA note “we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions”.

Joint Strike Fighter – The same WaPo reporter behind the “electricity grid hack” story strikes again. This time with at least a few interesting details. What I found interesting is the mention of the fact that the attacks were reportedly on allies, such as Turkey, that are part of the development and on contractors such as Lockheed Martin, Northrop Grumman Corp. and BAE Systems PLC. (more here).

If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the folks at Cambridge.

Ducklin spanks us for relying on VirusTotal which is a point well taken. He also raises the attribution issue but in the context of the sophistication and availability of the tools the attacker used in the GhostNet case. We too raise this issue noting that while the individual tools used by the attackers were technically unsophisticated they were still able to infect and control high value targets in many cases for long period of time.

This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.

Tibet is the starting point of our story because that is where we (and by we I mean all the hard work of Greg Walton over the years) had samples of socially engineered emails with malicious attachments that were sent to Tibetan-related organizations and individuals. (Maarten Van Horenbeeck has done great work in this area concerning Tibet and the Falun Gong.) Greg also developed the trust relationships that allowed him (and Shishir from the Cambridge team) to travel to Dharmsala and collect network traffic from the OHHDL. Greg also collected samples from Tibetan-related organizations around the world.

Were people at these organizations really becoming infecting as a result of falling for these socially engineered attacks? Was there anything more we could find out about the control servers other than that these pieces of malware connect to IP addresses that are often in China? In many cases we were not able to find out much other than the obvious: a malware infected computer that connects to a control server in China. In fact, in many cases the control servers were identified in the field.

But when analyzing the data collected at the OHHDL back in the Citizen Lab, we were able to identify traffic to a control server in China (in Hainan Province) that was not identified in the field research and were able to find the attackers web-interface on it and several additional control servers. By carefully going through the data we were able to identify two distinct malware infections on the same computer at the OHHDL. While each piece had more than one control server, we were able to identify commonalities that allowed us to group the control servers into two distinct networks.

The infection we focused on issued HTTP GET requests to several PHP files on a server. There were connections to two domain names on the same server IP address. A lookup in APNIC shows that this IP address is assigned to a range belonging to Hainan-TELECOM in Hainan Province in China. One particular request stood out since it contained a parameter that appeared to contain a date while rest of the parameters in the request were encoded with base64. We took that string and put it in Google, and were surprised to see results.

Since it was not secured with a password we were able to click directly on a link from Google which took us straight to the attackers’ web interface. There was no “hacking” involved. I have a healthy fear of prison and stay clearly within the limits of the law.

Now that we knew the file names and paths favoured by the attacker we were able to guess the location of 26 such interfaces including several on the server to which the infected OHHDL computer connected.

It became clear that the attackers’ had a wide interest of targets that extended far beyond the Tibetans. When Ducklin discusses the wide range of malicious documents he’s seen that are similar to the ones used by the attackers we focused on it corroborates information that some of those who have been infected (that are not Tibetan related) are telling us. Non-Tibetan targets receive socially engineered emails that are contextually relevant to them. Many of the most interesting GhostNet victims are embassies, government ministries and international organizations. These are not Tibet specific targets.

GhostNet is *not* Tibet specific.

In our report we devoted a significant portion to alternative explanations and a discussion of the attribution problem. We do *not* say that we can prove that the Chinese government is behind GhostNet. In fact, we raise several plausible scenarios. Moreover, we suggest that this network is probably *not* unique and that there are many more like it out there.

One thing I’ve pointed out and will do so again is that just because tools used by the GhostNet attackers are widely available does not necessarily preclude government involvement. I mean what would that look like any way? A trojan labeled “Developed by the Government of China”? If I wanted to meld into the crowd, if I wanted to leverage the attribution problem, I’d use available tools and common methods. The GhostNet attackers showed that using such less sophisticated methods can be quite successful. Why reinvent the wheel and possibly provide a ‘smoking gun’ that points directly to you? Furthermore, if you could leverage independent actors to do the dirty work for, even better. There’s even less traceabilty.

That is why we stated right in the beginning of the report that “the study clearly raises more questions than it answers.”

DarkVisitor picked up on some information in the GhostNet report that we didn’t really focus on — the email addresses and other information in the domain name registration records — and were able to track down the owner of the email address listed in the registry information associated with the control servers www.lookbytheway.net and www.macfeeresponse.org. An infected computer at the OHHDL connected to these domain names and Greg and Shishir were able to observe sensitive documents being transmitted to www.macfeeresponse.org while collecting data in Dharmsala, India. Greg later found that a computer at the Tibetan NGO Drewla aslo connected to www.lookbytheway.net. Both these domains were registered to “zhou zhao jun” using the email address losttemp33@hotmail.com. (I recall Greg and Jaymz working on this for a time, but I think we lost focus when we found the web-interface to the control servers used by a different piece of malware that had infected a computer at the OHHDL which we dubbed GhostNet.)

In a fascinating post, The folks at DarkVisitor were able to track down the owner of that email address as well some forum posts and blog entries that allowed them to acquire the QQ id of the owner of the email address and initiate contact with him. It was really great to see DarkVisitor explore this further.

I’d been calling this malware family “CGI” after their use of CGI scripts, but I like the DarkVisitor’s “CasperNet” better.

In addition to a GET request that appears to be a simple “check in” there were some POST connections:

These also appear to be “check ins” — the connections to serverlog.cgi are 15 bytes and contain basically the same information that appears in the GET requests. The connections to Report.cgi are larger (104 bytes) and contain some binary data in addition to text that is similar to the other connections. All these connections occur with a high degree of frequency.

There are significantly fewer connections to the this server and its function appears to be directly related to the retrieval of documents from infected computers. The POST connections to Auto.cgi contain a file name and the command “@@@@begin” which is followed by a POST to AutoTrans.cgi which actually uploads the targeted document. After several connections the entire document is uploaded and another POST is issued to Auto.cgi with the command “@@@@end”.

The packet dumps we analyzed showed two documents being uploaded and according to the person using the infected computer one of these documents was related to the Dalai Lama’s negotiating position with China and the other contained a list of numerous email addresses.

One of the things I really like about the DarkVisitor investigation is that it reminds us to be careful on the question of attribution. There are a variety of actors operating in this space with a variety of motives. Individuals and groups may be engaging in systematic exploitation of political targets for a variety of reasons that are completely divorced from state intelligence services (even if they appear to be aligned with such interests).

The fact that the DarkVistor research points to the possibility that the CasperNet is the work of a “cracker” (I prefer this definition of “hacker“), and not the Chinese Government as the context alone might suggest, simply shows the complications of attribution. There are numerous scenarios a variety of which we explore in “Tracking GhostNet” that focus on the “privateer” model but there are others as well. An intelligence agent could be tasked compromising political targets using only the tools and methods available within the community. Conversely, attackers may pillage compromised machines for credit card numbers, lists of email addresses to conduct further social engineering attacks as well as politically sensitive information that can be sold.

This is the “attribution problem”. Rather than rely on unconfirmed anecdotes and unnamed sources, political context and speculation and/or the fact that control servers are hosted on IP addresses in ranges assigned to China to produce a “smoking gun” pointing at the Chinese government we included a section focused on “alternative explanations” in order to explore variety of scenarios. As noted above, these alternative explanations, even those that focus on the acts of private individuals and groups, do not necessarily absolve the Chinese government but they provide an honest analysis of the variety of possibilities.

Symantec has put out a nice video demonstrating how gh0stRAT works. We gave the name “GhostNet” to the network of infected computers we uncovered because of the attackers’ use of the gh0stRAT tool but it is important to bear in mind how the whole operation works as gh0stRAT is just one part of it.

One of infection vectors that we can confirm that the attacker uses is sending contextually relevant emails with malware packed attachments (.doc’s and .pdf’s) to potential targets. (If you are interested check out Maarten Van Horenbeeck’s work herehere and definitely here — it really is the best research on this stuff out there).

When the the attachment is opened a trojan is dropped on the system. This trojan “checks in” with a control server. In this case, it was an HTTP connection to a webserver. The infected computer retrieves various files from the control server some of which contain “commands” — one of the commands the attacker issues instructs the infected computer to download and install gh0stRAT. While gh0stRAT allows the attacker to take “real time” control of a compromised computer — the attacker is online and the victim is online at the same time. — the initial infection allows the attacker to maintain control when either party is offline.

Once infected with gh0stRAT the compromised computer connects out to a URL (a file on the control server) in order to retrieve the IP address of the attacker’s gh0stRAT client. When the attacker is offline, the IP will often be 127.0.0.1 and will be replaced by another IP when the attacker is online and ready to receive connections from the compromised computers running gh0stRAT.

Starting on March 30 2009 the GhostNet starting coming down. The attacker began removing the files and directories being used and then began to configure the domain names of some the control servers to point to 127.0.0.1. Files hosted on other (probably compromised) “command” servers also started disappearing at the same time. It’ll be interesting to see if, when and where the network pops up again.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.

Researchers at the Information Warfare Monitor uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. This finding comes at the close of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions that consisted of fieldwork, technical scouting, and laboratory analysis.

Close to 30% of the infected hosts are considered high-value and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

Who is ultimately in control of the GhostNet system? While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured.

Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. Indeed, although the Achilles’ heel of the GhostNet system allowed us to monitor and document its far-reaching network of infiltration, we can safely hypothesize that it is neither the first nor the only one of its kind.

As Information Warfare Monitor principal investigators Ron Deibert and Rafal Rohozinski say in the foreword to the report, “This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.”

Download the full report here: http://www.infowar-monitor.net/ghostnet/

The report has been co-timed for release with an exclusive story by the New York Times’ John Markoff. Download the New York Times story here: http://www.nytimes.com/2009/03/29/technology/29spy.html

Hard disks sold in Taiwan contained trojan horse programs. The Taipei Times reports:

Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.

Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said. The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to www.nice8.org and www.we168.org, the bureau said.

Chinese spying or manufacturer’s blunder? It seems odd that hard disks would have been infected before even being sold.

The OpenNet Initiative released a report documenting the Internet shutdown in Myanmar/Burma. Similar to the shutdown in Nepal after the King assumed power in a coup in 2005. Both of the ISPs cut their Internet access from September 29 to October 4 with the exception of a few brief periods of access. Also, the shutdown was gradual:

ONI also looked for signs of how the infrastructure was turned off during these outages. The Burmese Autonomous System (AS), which, like any other AS, is composed of several hierarchies of routers and provides the Internet infrastructure in-country. A switch off could therefore be conducted at the top by shutting off the border router(s), or a bottom up approach could be followed by first shutting down routers located a few hops deeper inside the AS.

A high-level traffic analysis of the logs of NTP (Network Time Protocol) servers indicates that the border routers corresponding to the two ISPs were not turned off suddenly. Rather, our analysis indicates that this was a gradual process: traffic fell to 14 percent of the previous week’s average on September 28, going down to 7 percent of the average on September 29 and zero traffic on September 30. This matches with the BGP data coming from AS 9988 and AS 18399 belonging to MPT and BaganNet respectively.